UPX

UPX ( U ltimate P farmland for e X ecutables, Eng. For Ultimate Packer for executables ) is a free ( GNU General Public License ) Pack program for executable files , which supports a number of formats.

UPX is particularly suitable for compressing Unix- ELF (32- and 64-bit), DOS-EXE (16- and 32-bit), Windows- PE ( EXE and DLL ) or even TOS files. In contrast to files compressed using widely used compression methods (such as ZIP and RAR ), files compressed with UPX can be executed normally (i.e. without prior unpacking).

The purpose of compressing executable files is to reduce file sizes and possibly shorter startup times compared to an uncompressed file. The shorter loading times result when the additional computing time required for decompression in the main memory is less important than loading the larger file from the hard drive or via a network.

Advantages of this program over others of its kind are, above all, its partially open source - it is distributed as free software (open source) - its cross-platform properties and its high packing rates.

Packaging executable program files

When compressing executable program files, the program data are packed and preceded by an unpacking program part (decompressor) which unpacks the actual program data and then starts it. The unpacking program part is an independent program that makes packed and unpacked programs indistinguishable for the average user, since no further steps are necessary for them to execute them.

Software producers use the technology for a variety of reasons; mainly to reduce the secondary storage requirements of your applications, especially since UPX, since it is specially designed for executable program files, often achieves better packing rates than conventional data compression solutions such as ZIP , gzip or bzip2 . This allows the manufacturer to keep the storage space requirements of their programs within the scope of the distribution medium or to minimize the time or bandwidth required for access via the Internet .

Another advantage of UPX is that complete directories (e.g. program and additional data, libraries, resources) can be bundled in one file. B. can make automatic updates or distribution in company networks clearer, safer and easier.

As of version 3.09.1, program files and libraries are also supported for the first time under Microsoft Windows 64-bit ( x86-64 ). This function is currently still considered experimental .

Compression technique

UPX uses a proprietary data compression library called N OT R eally- V anished (NRV). Alternatively, a free implementation of the NRV algorithm called UCL can be used. LZMA and zlib are also available as compression methods.

UCL and NRV were designed to be simple enough that a decompressor could fit into just a few hundred bytes of code. With UCL, no additional memory has to be allocated for unpacking, which is a considerable advantage since a program packed with UPX does not need any additional memory.

decompression

UPX knows two different methods of unpacking: the file can

• directly in place in memory or
• can be extracted to a temporary file .

Unpacking directly into memory is the superior technique, but is not possible on all supported platforms. Temporary files are used on the platforms on which direct unpacking is not possible, which entails additional overhead and other disadvantages, but allows program files of any format to be packed. The program data are extracted into a temporary file, which is then executed. The method of extracting to a temporary file has a number of disadvantages. Special rights such as suid are ignored, the command line parameterargv[0] (query of the own file name by a program) loses its meaning and it becomes impossible for programs to share parts.

Obfuscation

Obscuring the nature or function of a program file is sometimes desirable to impede reverse engineering . EXE packers can be used to prevent direct disassembly , hide strings and change signatures. However, UPX is not a good protection against reverse engineering, since UPX-packed programs can be unpacked again by UPX itself and can also be easily restored by debuggers / dumpers.

Unchanged UPX-packed programs are often recognized as such by antivirus programs and unpacked.

disadvantage

Applying UPX to programs can have several disadvantages. On the one hand, some auxiliary programs can no longer recognize program library dependencies of the packed program, since only the statically linked decompression part is visible. UPX can also extend the initialization times of programs. Some antivirus programs treat runtime-compressed program files as viruses .

UPX-compressed program files also have a greater impact on system resources. The operating system cannot read a decompressed image directly from the disk (see virtual memory management ), as it does in the case of uncompressed executable files. Instead, the UPX decompressor reserves a memory area for the unpacked data, which remains allocated as long as the program file is loaded, comparable to memory areas for other data that accumulate during runtime. If the operating system wants to remove parts of the program from the main memory as part of the swapping , it must first write these parts to a swap memory . The reuse of resources when several instances of the same UPX-compressed program are loaded is also prevented, or at least made more difficult when using KSM .